You probably already know that Artificial Intelligence (AI) and Machine Learning (ML) can power things like self-driving cars or your phone’s digital assistant. But did you know that AI & ML can also improve the way we design and manage networks? Well, it can – and leveraging the power of AI & ML for this purpose is one of the many ways Cisco is bringing innovation to the world of network design.
All networks do the same basic thing – they allow devices to exchange information with each other. However, there is an infinite variety of ways in which networks can be designed to perform that generic function. This is because customers have a variety of technologies, features, and solutions available to make their networks meet the needs of the business.
Network design & policies are the rules that define how devices are allowed to communicate with one another. This plays a critical role in guaranteeing availability, optimizing traffic flow, enforcing security rules and so on.
Traditionally, network architects devised network configurations and policies manually based on changing requirements. These changes often included things such as the adoption of new technologies etc.
As a result, network design traditionally consumed large amounts of time and effort. This is due to the fact that network design is typically a highly manual process that bridges a gap between operational and strategic concerns. The problem is that as your network grew larger, the greater the design complexity and the more data there was to keep track of. Additionally, as networks scaled up it also became increasingly harder to ensure that the policies you deployed were still the most efficient, or even valid, at the increased scale.
At the same time, analyzing network design was a very complex process. It often involved multiple stakeholders, who each had to weigh in on how network design impacted their parts of the organization. As more applications leverage the network directly, the environment gets more complicated and requires standards to maintain a level of support.
Policy drift, too, was a constant issue. Even if teams configured network policies consistently at first, those policies had a tendency to become inconsistent over time due to requirements changes, staffing changes, break-fix scenarios and so on. Policy inconsistency added even more complexity to network design analysis, while also making it harder to troubleshoot problems and provide support to users.
However, thanks to AI/ML and its ability to unlock the power data, a better world is now possible when it comes to network design and analysis.
Today, network architects can use AI/ML to analyze a variety of possible policy configurations, then determine which ones are best suited to a given set of requirements. This data science approach means not just that engineers spend much less time parsing policies manually, but also that there is greater consistency in how both network and application policies are defined, and better alignment between network design and business needs.
At the same time, AI/ML-based network design and analytics allows organizations to define and measure critical benchmarks that quantify the value of their network. They can, for example, measure time-to-deployment of new policies, or track how particular policies improve (or hinder) network security. Moreover, this data science and analytics approach unlocks immense creative design potential and even enables us to define entirely new and powerful metrics. For example, PVA (mentioned below) uses a (patent pending) complexity algorithm that determines which policies contribute to the overall complexity and supportability of the network.
Last but not least, AI/ML also allows organizations to be proactive about improving network operations by updating policies. Engineers can automatically assess existing policies to find sub-optimal configurations. They can then update them in order to improve traffic flow, mitigate security risks and so on.
At this point, you may be thinking: “Leveraging AI/ML to improve network design sounds great, but what if I don’t have data scientists on staff? Who’s going to build the models to help me optimize my network?”
At Cisco, we’re currently working on several initiatives designed to help every business – not just large enterprises, build bespoke AI/ ML solutions for network design and management. This will enable them to bring the benefits of data science to bear on their network policies. All of these solutions are part of Cisco’s Business Critical Services (BCS) offerings.
Place in Network is a machine learning model we’ve developed that predicts the functional role and business importance of devices within networks. In turn, it helps teams learn which devices to prioritize when remediating vulnerabilities based on how important a device is to the network and business.
PIN also facilitates for our consultants a quicker time-to-learn an environment by highlighting the role of a device and its relative importance. When consultants make recommendations to customers or when insights are delivered via self-service portals, PIN adds another dimension of prioritization for remediation tasks and provides a little more context.
This means that, when you discover a security issue, PIN can tell you at a glance which devices are affected, and which ones you should isolate first via network policies. This ensures that you can protect mission-critical devices as quickly as possible, then work on addressing risks to other devices that are not as important to the business.
Furthermore, the role of a device can often hint at potential attack vectors or where other compensating controls may have been put in place to minimize risk. For example, a security vulnerability that is focused on remote exploitation may be of higher risk to your internet edge devices, as opposed to your access layer switches that are behind multiple layers of security. PIN provides the ability to classify devices by role, which is especially powerful for devices that you may not otherwise be able to identify their function through hostname or product family alone. This enables you to classify actions based on importance – if you have a vulnerability, you can address the immediate risks and most impactful items first to minimize exposure.
Policy Variation Analysis (PVA) allows teams to take a statistical approach to understanding their network policies. It compares actual policies to policy standards in order to identify policies that have drifted from ideal configurations or that otherwise stand to be improved.
PVA provides visualizations so that analysts can see at a glance what network policy trends look like and detect outliers that may require attention.
This also makes the visualization of policies, and potential impacts of policy decisions, easier to quantify through the use of a flow chart. PVA therefore enables users to directly combat the policy drift problem that was stated earlier. Users can quickly identify policies that are not deployed or configured to their standards and identify differences between policy variations.
All of these factors work in unison to increase the network supportability by reducing the amount of drift and complexity in the environment. PVA equips organizations with a powerful tool to automatically mitigate the growing pains and complexity of large networks. In addition, it provides consultants a look into the strategies their customers utilize when it comes to policy management and deployment.
With Design Builder, you can automate design reviews and audits. Design Builder uses graph theory to create intelligent mappings of device relationships on the network in order to summarize design patterns and surface insights that engineers can use to improve design.
With the topology and relationship information available in Design Builder, it takes less time to understand overall network architectures. It also makes it easier to track how different parts of the network map onto different business units or resources. For example, you can see how virtual network resources relate to specific physical sites, like a retail store or bank branch.
A so-called ‘golden template’ is a Cisco certified and standardized configuration for a device that can be confidently and securely applied to one or multiple devices across a network. Such a ‘golden template’ allows network devices to be brought up quickly and efficiently with a readily available vetted foundational configuration. Device-specific customization can obviously be made once the golden template has been applied to a device, but the template ensures that required network policies are configured correctly at a foundational level.
Creating a ‘golden template’ is the holy grail for network designers and are often developed through hard-won experience and intense and time-consuming analysis of the install base. Configuration Management Insights alleviates all this and enables you to automatically predict the configuration templates for different network devices by learning the patterns of association of configuration snippets. This helps to establish a baseline that can be used to fine-tune, and kick start the standardization journey.
Configuration Management Insights also enables an on-demand audit capability that details how compliant the network is to your standards. The overall goal of this configuration standardization leads to more expected results. When devices are compliant to a known “golden” standard, they tend to be more supportable and less complex to troubleshoot.
With Configuration Management Insights, you can put the struggle behind you. Using network analytics, the tool helps engineers set configuration standards based on their business’s requirements. The goal is to ensure that businesses use consistent, standardized policy rules that are tailored to their devices and organizational needs.
Historically, optimizing network design and network policies required a tremendous amount of manual effort and customization. To the extent that automated solutions were available, they were usually high-touch, high-expertise, high-cost processes that had to be complemented with bespoke consultancy services. This means they were traditionally out of reach for all but the largest customers.
AI/ML-based network design solutions from Cisco are changing this. Today, any business can digitize network design and policy optimization, making it easier than ever to ensure that networks are tailored to business needs. Through this democratization, we are giving customers the power to act on previously complex or unknown “hidden” insights in an automated fashion. This empowers you to think deeper about design strategies and how design components affect the business.